New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
syscall: TestAmbientCapsUserns fails on Ubuntu 24.04/Linux 6.8.0 #67088
Comments
CC @stapelberg |
AppArmor? |
I put AppArmor in complain mode and the test is now successful. Note that I did the default install and didn't change anything on the apparmor configuration. It appears that profile unprivileged_userns is causing the issue. I find the following in syslog in complain mode:
With app_armor in enforce mode in I find the following:
|
I can confirm
prevents TestAmbientCapsUserns from failing in a persistent manner. |
I have been made aware that there is a section in the Ubuntu release notes that describes the issue. |
To me, it sounds like Ubuntu comes with too-locked-down defaults for development of sandboxing features, but as per the release notes you link, that seems intentional and users are expected to follow one of the possibilities mentioned in the release notes. Other environments (e.g. corporate laptops) also come with similar restrictions (malware scanners that use an allowlist to control which software runs) that need to be turned off for development. So is there anything left to be done on the Go side here? Should we maybe skip the test when we detect apparmor being active? Or adjust the error message to point to the Ubuntu release notes? |
what about an upstream issue so that Ubuntu fixes this? they broke it, they own it. |
Is there any way that the test can detect the problem and simply skip the test in that case? Our goal here should be for the test to pass or be skipped on all systems. We shouldn't change the behavior of the non-test code, though we may want to document the problem. But the test should not fail. |
The test could be skipped if /proc/sys/kernel/apparmor_restrict_unprivileged_userns exists and is set to 1. Unfortunately the flags that control how apparmor will behave (apparmor_restrict_unprivileged_userns_complain and apparmor_restrict_unprivileged_userns_force) are not readable by an unprivileged user, so the test will be skipped even in cases when it may be successful because the apparmor profile is deactivated. |
After reading https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction#checking-the-current-state-of-restricted-unprivileged-user-namespaces and the following sections, I think we should:
The _complain and _force modes seem like rare enough (for machines where you want to develop Go, not for servers on which you would run production programs) that they don’t warrant special handling. I can send a CL for these updates tomorrow. |
Change https://go.dev/cl/585059 mentions this issue: |
Go version
go version go1.22.2 linux/amd64
Output of
go env
in your module/workspace:What did you do?
I installed Ubuntu 24.04 and compiled go 1.22.2 using go 1.20.14 for bootstrapping. all.bash ran into two errors. Investigating the second I changed into go/src/syscall and executed go test and run into the failure again.
Interestingly TestAmbientCaps is skipped because the exec returns operation not permitted.
What did you see happen?
Info about environment:
What did you expect to see?
No error executing go test in go/src/syscall.
The text was updated successfully, but these errors were encountered: